Go Back  PPRuNe Forums > Flight Deck Forums > Rumours & News
Reload this Page >

MAX’s Return Delayed by FAA Reevaluation of 737 Safety Procedures

Rumours & News Reporting Points that may affect our jobs or lives as professional pilots. Also, items that may be of interest to professional pilots.

MAX’s Return Delayed by FAA Reevaluation of 737 Safety Procedures

Old 17th Nov 2019, 20:12
  #4001 (permalink)  
Thread Starter
 
Join Date: Apr 2015
Location: Under the radar, over the rainbow
Posts: 475
Originally Posted by Grebe View Post
Claim MAX software done and well tested 17 NOV in Seattle Times
From the story:

This addresses a problem identified in both accident investigations: that pilots took much longer to recognize and react to an MCAS fault than Boeing had assumed. By stopping any erroneous uncommanded movements automatically, the redesign takes the response out of the pilots’ hands altogether.

“We’re not letting the system run while the pilots are inattentive,” said the person, who required anonymity because parties to the ongoing accident investigations are not allowed to speak publicly.
Yeah, ya gotta watch out for those inattentive pilots.

These efforts to lay off responsibility and blame the folks who fly these airplanes just never end.

Last edited by OldnGrounded; 17th Nov 2019 at 23:47.
OldnGrounded is online now  
Old 17th Nov 2019, 20:27
  #4002 (permalink)  
 
Join Date: Aug 2013
Location: Washington.
Age: 69
Posts: 494
Originally Posted by Fly Aiprt View Post
Looks like a serious warning adressed to Mr Bahrami, not to concede too much to his partner Boeing...
Mr Bahrami needs to step down, or be removed. There needs to be a thorough culture change at the FAA which has to begin with him and several of the submissive managers he put in position.
GlobalNav is offline  
Old 17th Nov 2019, 21:10
  #4003 (permalink)  
 
Join Date: Mar 2019
Location: French Alps
Posts: 272
Originally Posted by GlobalNav View Post


Mr Bahrami needs to step down, or be removed. There needs to be a thorough culture change at the FAA which has to begin with him and several of the submissive managers he put in position.
What is surprising, why is he still in position ?
Or would removing him be an admission that the FAA was at fault ?
Fly Aiprt is offline  
Old 18th Nov 2019, 00:31
  #4004 (permalink)  
 
Join Date: Mar 2005
Location: N/A
Posts: 2,921
We’re not letting the system run while the pilots are inattentive
Yer gotta tell them damn inattentive pilots the system exists first.
megan is offline  
Old 18th Nov 2019, 01:19
  #4005 (permalink)  
Thread Starter
 
Join Date: Apr 2015
Location: Under the radar, over the rainbow
Posts: 475
Even if the revised MCAS cannot act up again as it did on the crash flights, MAX pilots will still want to be comfortable with manual control of the stabilizer.

A 737 captain on a U.S. airline, who asked for anonymity to speak without permission from his employer, described his own extensive experience as a former test pilot of moving the tail manually.

He said that with the 737 tail at full nose-down position and at maximum design speed, it is “nigh impossible for a normal human to move the manual trim wheel in the nose up direction. The forces are too strong.”

Dennis Tajer, an American Airlines captain and APA spokesman, recently replicated that flight situation in a simulator, deliberately inducing an MCAS-style nose-down pitch at high speed, though still within the normal flight range.

He was able to move the wheel only “a couple of inches, but not enough.”

Tajer said that if the MAX is pitched down toward the ground, it gathers speed all too easily.

“The 737 is a slippery airplane,” said Tajer. “When you put the nose down, it wants to accelerate very quickly.”
NG pilots may want to be comfortable about that, also.
OldnGrounded is online now  
Old 18th Nov 2019, 01:35
  #4006 (permalink)  
Psychophysiological entity
 
Join Date: Jun 2001
Location: Tweet Rob_Benham Famous author. Well, slightly famous.
Age: 80
Posts: 4,724
This addresses a problem identified in both accident investigations: that pilots took much longer to recognize and react to an MCAS fault than Boeing had assumed. By stopping any erroneous uncommanded movements automatically, the redesign takes the response out of the pilots’ hands altogether.
Over these months I've become more and more bewildered by certain design-logic. Now this. What is it supposed to mean? Movements that are un-commanded, presumably meaning by the pilots, must mean movements made by MCAS. These are now going to be stopped automatically.

MCAS did not fail. The specifications/algorithms, altered late in the day, were to blame, inasmuch as they caused a catastrophic overload of warnings and handling difficulties that were beyond 'the average pilots' ability to manage. If MCAS is the only answer affordable answer, the suggested fixes, aired over the last weeks, sound logical.

Where are the erroneous un-commanded movements going to come from, given the quote implies it's not from the pilots and MCAS has been made safe?
Loose rivets is offline  
Old 18th Nov 2019, 02:25
  #4007 (permalink)  
Thread Starter
 
Join Date: Apr 2015
Location: Under the radar, over the rainbow
Posts: 475
Originally Posted by Loose rivets View Post
Where are the erroneous un-commanded movements going to come from, given the quote implies it's not from the pilots and MCAS has been made safe?
I don't think "they" like it when you ask hard questions like that, Rob.

OldnGrounded is online now  
Old 18th Nov 2019, 15:32
  #4008 (permalink)  
 
Join Date: Jun 2008
Location: Cambridge UK
Posts: 148
Originally Posted by Loose rivets View Post
Over these months I've become more and more bewildered by certain design-logic. Now this. What is it supposed to mean? Movements that are un-commanded, presumably meaning by the pilots, must mean movements made by MCAS. These are now going to be stopped automatically.

MCAS did not fail. The specifications/algorithms, altered late in the day, were to blame, inasmuch as they caused a catastrophic overload of warnings and handling difficulties that were beyond 'the average pilots' ability to manage. If MCAS is the only answer affordable answer, the suggested fixes, aired over the last weeks, sound logical.

Where are the erroneous un-commanded movements going to come from, given the quote implies it's not from the pilots and MCAS has been made safe?
I hope that they are making false activation of MCAS survivable, and also trying to minimise the frequency of false activations. Although
keeping the hardware unchanged means that the engineers are trying to do this with at least one arm tied behind their backs.

Making MCAS survivable probably entails both minimising its potential effects (e.g. only singe-shot) and providing a practicable SOP for handling it.

Minimising the frequency of false activation probably involves lots of sanity checks on the AoA readings both separately and collectively
(e.g. beware of at-extreme and stuck-at readings).

A major problem with collective AoA checks is that each AoA is only connected to one computer. So both computers have to be fully
operational and communicating with each other to perform them. It would not surprise me if that this unanticipated communication
was far from instantaneous.

My guess that this is where the self-correcting un-commanded movements might be coming from. One computer sees that its AoA
sensor indicates that MCAS is called for and activates it, then later gets information from the other computers AoA sensor that
suggests that this was a bad idea and aborts the MCAS activation. (A lot better that waiting for a time-out to discover that the
other computer is currently inaccessible.)

PS And keep your fingers crossed that the MAX really is aerodynamically stable without MCAS. Because this sort of system is going
to disable it in response to some classes of hardware failure.
Peter H is online now  
Old 18th Nov 2019, 16:01
  #4009 (permalink)  
 
Join Date: Jan 2008
Location: uk
Posts: 788
Originally Posted by Loose rivets View Post
Over these months I've become more and more bewildered by certain design-logic. Now this. What is it supposed to mean? Movements that are un-commanded, presumably meaning by the pilots, must mean movements made by MCAS. These are now going to be stopped automatically.

MCAS did not fail. The specifications/algorithms, altered late in the day, were to blame, inasmuch as they caused a catastrophic overload of warnings and handling difficulties that were beyond 'the average pilots' ability to manage. If MCAS is the only answer affordable answer, the suggested fixes, aired over the last weeks, sound logical.

Where are the erroneous un-commanded movements going to come from, given the quote implies it's not from the pilots and MCAS has been made safe?
I agree, and at first sight it looks like PR have mangled engineering into something illogical, or the engineering is illogical - after all why would you stop an erroneous movement, that implies you allowed it to start, why would you allow that if you know it's erroneous, and if you don't know then how will you stop it?

BUT, I think maybe there is an explanation that makes some kind of sense (NB: what follows is pure speculation, I have no non-public info on what they are actually doing):

A while ago I sat down and worked through some implementations of MCAS logic from what we know (I then promptly lost the work, probably why I don't do that sort of stuff for real anymore), I was struck by how simple it actually works out. It is possibly as little as a two state variables, one output, one or two lookup tables and a handful of lines of code - ideal from the point of view of KISS and also for shoehorning into a hard real time control loop that has had decades of mods to use up the future-expansion CPU-time headroom from the original design. The devil is in the reset, you have to wind trim back when AOA drops (or g in original design?) to reduce column force again, but if anything messes with trim in meantime (pilot, autopilot, speed trim) you can't wind back, otherwise you risk auto-trimming back up into stall, so you must have a reset - but then when does MCAS activate again, it can't be once-per-flight (only protects you the first time), there has to be a re-activation condition too (and still does even in new version)... this is the point where the cans are opened and the worms are spewing everywhere...

When Boeing announced the revised design there was something about they would ensure the pilot could always pull 1.5g. My first reaction was "very sensible why didn't you do that before", second was "hang on that's going to be non-trivial to calculate" (third being maybe it is trivial but I've forgotten so much aero stuff I don't have a clue how). There is also the issue that the calculation will be using air data that may be incorrect - so we could be no better off than before. The 1.5g seems to have disappeared from the current write up but I suspect it is still there in some form, but now we also have AOA-compare, and other-FCC-compare - my gut-feel-guess at least an order of magnitude more code, inter-FCC comms latency, possible race conditions, orders of magnitude more analysis and testing... how the **** are they going to fit all that in??

Answer - they aren't. Longer answer - assuming FCC has (in effect) multiple real-time control loops I expect MCAS to be in the inner-most loop running many times a second, but there will also be "slower" outer loops for less time-critical longer and more complex processes, imagine "MCAS-watchdog" (or MCAS-sanity-check or whatever) does all the complex stuff and runs in one of those. That would enable allowing for inter-FCC bus latency, reducing race conditions, much larger CPU time allowance. Now we have in effect:

* MCAS (as before plus, probably, simple AOA disagree heck) - inner loop, runs many times a second (not sure how many, but a lot more than three)
* MCAS-watchdog - calculates pilot can still pull 1.5g, complex airdata sanity checks, cross checks with other FCC, shuts stuff down if it trips - and runs only three times a second

Now, this is a system where MCAS can activate erroneously but the watchdog process should catch it and shut it down within a third of a second (unless all airdata is fubar on both sides in which case good luck with anything). The watchdog process will have to alert the pilot when it shuts MCAS (and other stuff) down, I strongly suspect it will do this via the "speed trim fail" warning light. Therefore it will shut down speed trim at same time as MCAS, perfectly logical because MCAS has always been part of speed trim really, honestly, nothing to do with the fact that we can thereby avoid adding a new warning light which might need sim training. Details on the additional/new meaning of "speed trim fail" will be in a footnote on page nnn of the iPad conversion training. Speed trim fail NNC may get changed to add something like "expect degraded handling with flaps-up, plan flaps-down asap, land nearest suitable".

I think this is roughly what they've done, it matches what they've said before and the recent description, and it's a vaguely sensible way forward from where they were. It still feels like multiple layers of duct-tape over a weak spot that should never have been there in the first place, but it'll probably be enough, eventually, to get it back in the air.
infrequentflyer789 is offline  
Old 18th Nov 2019, 18:15
  #4010 (permalink)  
 
Join Date: May 2008
Location: denmark
Posts: 1
Originally Posted by Loose rivets View Post
Quote: ”By stopping any erroneous uncommanded movements automatically, the redesign takes the response out of the pilots’ hands altogether. ” What is it supposed to mean? Movements that are un-commanded, presumably meaning by the pilots, must mean movements made by MCAS. These are now going to be stopped automatically.
MCAS did not fail.
Correct.. worked as specified..
Originally Posted by Loose rivets View Post
Where are the erroneous un-commanded movements going to come from, given the quote implies it's not from the pilots and MCAS has been made safe?
From hard electrical faults e.g. welded relays, or faults in wiring looms. Or from soft faults aka. SEU (Single-event upset).
I have been wondering why there is so strong belief in that fixing the MCAS algorithm makes the aircraft safe, when it is not unlikely that a SEU generates a runaway even if the MCAS algorithm is deleted from the system. I.e. the risk of a software introduced runaway theoretically exists on the NG, except the NG still have the cut-out switches on the yoke.
My understanding of CS 25.671/25.672 is that, either: A trim runaway must be “extremely improbable”, this require a DAL A architecture all the way from sensor to actuators. Or be capable of continued safe flight and landing following runaway. The last claim have been proven impossible, so DAL A it is.
HighWind is offline  
Old 18th Nov 2019, 21:25
  #4011 (permalink)  
 
Join Date: Sep 2017
Location: Europe
Posts: 1,553
What remains obvious is that regulatory capture is driving the process.

Thus the only way that the issues actually get resolved will be pilots and the flying public saying no more.
Rated De is offline  
Old 18th Nov 2019, 21:26
  #4012 (permalink)  
Thread Starter
 
Join Date: Apr 2015
Location: Under the radar, over the rainbow
Posts: 475
Originally Posted by Rated De View Post
What remains obvious is that regulatory capture is driving the process.

Thus the only way that the issues actually get resolved will be pilots and the flying public saying no more.
Yes, although, if EASA doesn't simply march in step, that will be very significant.
OldnGrounded is online now  
Old 18th Nov 2019, 23:39
  #4013 (permalink)  
 
Join Date: Mar 2005
Location: N/A
Posts: 2,921
Question from SLF, if you have systems such as STS and MCAS automatically running the trim at what point does a crew decide they have a runaway?
megan is offline  
Old 19th Nov 2019, 00:35
  #4014 (permalink)  
 
Join Date: Sep 2019
Location: leftcoast
Posts: 43
Originally Posted by megan View Post
Question from SLF, if you have systems such as STS and MCAS automatically running the trim at what point does a crew decide they have a runaway?
so what happens if AOA goes fubar etc and says *** you are diving too steep**eg negative AOA > ?? degrees ***- does Mcas trim nose up ? how much, how long ? Phugoid ??

Last edited by Grebe; 19th Nov 2019 at 05:23. Reason: clsrify ' dive' error in AOA=fat fingers
Grebe is offline  
Old 19th Nov 2019, 01:20
  #4015 (permalink)  
 
Join Date: Jul 2014
Location: Harbour Master Place
Posts: 606
Originally Posted by megan View Post
Question from SLF, if you have systems such as STS and MCAS automatically running the trim at what point does a crew decide they have a runaway?
Oh come megan, that will be covered in the extensive iPad 737-MAX training package*.






* Course content increased 100%, now 2 hours in duration.
CurtainTwitcher is offline  
Old 19th Nov 2019, 05:18
  #4016 (permalink)  
 
Join Date: Mar 2019
Location: On the Ground
Posts: 114
Originally Posted by megan View Post
Question from SLF, if you have systems such as STS and MCAS automatically running the trim at what point does a crew decide they have a runaway?
Boeing will let us know, after the fact, that the crew should have figured that out.

Last edited by Takwis; 19th Nov 2019 at 13:32.
Takwis is offline  
Old 19th Nov 2019, 05:56
  #4017 (permalink)  
 
Join Date: Sep 2019
Location: leftcoast
Posts: 43
SideNote -- re the Boeing BS described as " Now, according to the Boeing website, it has over 45,000 engineers spread throughout the entire company. Such a deep roster of talent, the aerospace company has incredibly deep and specific expertise for new designs and to manage the safety and airworthiness of the nearly 14,000 Boeing airplanes flying today."

look up the following in the JDA Journal "FAA Insight and Aviation . . ."

What Faa Delegation Does—How And Why?

TOPICS:Boeing 737 Max8Mike Borfitz“Designated Airworthiness Representative’ (Dar)“Designated Engineering Representative” (Der)

Now, according to the Boeing website, it has over 45,000 engineers spread throughout the entire company. Such a deep roster of talent, the aerospace company has incredibly deep and specific expertise for new designs and to manage the safety and airworthiness of the nearly 14,000 Boeing airplanes flying today.
OK - the article IMHO is partly misleading

First- SPEEA has a total membership of about 20,000 total Engineers AND Techs which includes most ( all? ) DER/ODA type

The majority of the DER/ODA types are in the Seattle Area- Dont know the numbers, but perhaps- maybe 1000 ??

When SPEEA went on strike in 2000-2001, Boeing could NOT deliver any planes without a DER ' signature ' - That was one reason Boeing pushed a few years later the ODA system...

Granted there are some in Aerospace- St louis, etc but for commercial seattle- renton- everett is where its at.

Second -

Under the ' old' DER system- the DER could and did report directly to hjis/her FAA counterpart or committee re the area involved but were of course paid by Boeing.

But under the ODA system, the same " DER" reported THRU Boeing managment to the FAA- and could/was effectively ' filtered ' based on cost, schedule, or management incompetence.

The result is history


Grebe is offline  
Old 19th Nov 2019, 07:51
  #4018 (permalink)  
 
Join Date: Jun 2019
Location: Tana
Posts: 125
45,000 sounds like A LOT of engineers. An American aviation engineer wouldn't get out of bed for less than 100k a year. That makes it $4.5bil in salary alone. That's almost 10% of the company's revenue and over 80% of net profit.

Another number that kind of scratched my brain the wrong way is "14,000 Boeing aircraft flying today". Are there that many flying? Even with military airplanes and helicopters, that looks like a VERY big number.
UltraFan is offline  
Old 19th Nov 2019, 15:02
  #4019 (permalink)  
 
Join Date: Mar 2014
Location: Dallas
Age: 62
Posts: 8
Where's the missing MCAS automatic trim commands?

From the preliminary report of the ET302 accident.
(many copies around the internet)
==============
At 05:40:35, the First-Officer called out “stab trim cut-out” two times. Captain agreed and First-
Officer confirmed stab trim cut-out.

At 05:40:41, approximately five seconds after the end of the ANU stabilizer motion, a third instance
of AND automatic trim command occurred without any corresponding motion of the stabilizer,
which is consistent with the stabilizer trim cutout switches were in the ‘’cutout’’ position
==============
At this point, the trim cutout switches were shutting down the output from MCAS reaching the trim motors. So, why are there no more automatic MCAS trim commands recorded? (Cyan color in the Flight data recorder tracings on page 26 of the report) The trim cutout switches shouldn't inhibit the FCC from issuing commands, just the trim motor being cutout. For approximaty two minutes, MCAS should be issuing 8 or 9 more AND automatic trim commands but, they aren't on the data trace. Flaps are up, AOA is off the chart, A/P is OFF. The only change is the stabilizer trim cutout switches were in the cutout position. How should that change MCAS from issuing more AND automatic trim commands? The trim motor is cutout from accepting the commands, but, they should still be issued from MCAS, unless there is some connection between one or both of the stabilizer trim cutout switches and the FCC MCAS program somehow? Only when the stabilizer trim cutout swiches are turned back to normal, do the automatic trim commands reappear at the end of the flight.


GroundedDinosaur is offline  
Old 19th Nov 2019, 15:23
  #4020 (permalink)  
 
Join Date: Sep 2019
Location: leftcoast
Posts: 43
Originally Posted by UltraFan View Post
45,000 sounds like A LOT of engineers. An American aviation engineer wouldn't get out of bed for less than 100k a year. That makes it $4.5bil in salary alone. That's almost 10% of the company's revenue and over 80% of net profit.

Another number that kind of scratched my brain the wrong way is "14,000 Boeing aircraft flying today". Are there that many flying? Even with military airplanes and helicopters, that looks like a VERY big number.
from the SPEEA site www speea org today

About SPEEA - IFPTE Local 2001

The Society of Professional Engineering Employees in Aerospace (SPEEA), IFPTE Local 2001, is a professional aerospace labor union representing more than 22,650 engineers, technical workers, pilots and other professionals in the aerospace industry. Presently, our union represents employees at The Boeing Company, Spirit AeroSystems, and Triumph Composite Systems. Members work in Washington, Kansas, Oregon, Utah, Florida and California.
not too sure what the split between engrs and techs really is will try to find out



Grebe is offline  

Thread Tools
Search this Thread

Contact Us Archive Advertising Cookie Policy Privacy Statement Terms of Service

Copyright © 2018 MH Sub I, LLC dba Internet Brands. All rights reserved. Use of this site indicates your consent to the Terms of Use.